“In FY 2015 OPM was the victim of a massive data
breach that involved the theft of sensitive personal information of
millions of individuals. For many years we have reported critical
weaknesses in OPM’s ability to manage its information technology
(IT) environment, and warned that the agency was as an increased risk
of a data breach. In the wake of this data breach, OPM is finally
focusing its efforts on improving its IT security posture.
Unfortunately, as indicated by the variety of findings in this audit
report, OPM continues to struggle to meet many FISMA requirements.
During
this audit we did close a long-standing recommendation related to
OPM’s information security management structure – [Report
Number 4A-CI-00-15-011, November 10, 2015] However, this audit also
determined that there has been a regression in OPM’s management of
its system Authorization program, which we classified as a material
weakness in the FY 2014 FISMA audit report. In April 2015, the Chief
Information Officer issued a memorandum that granted an extension of
the previous Authorizations for all systems whose Authorization had
already expired, and for those scheduled to expire through September
2016. Should this moratorium on Authorizations continue, the agency
will have up to 23 systems that have not been subject to a thorough
security controls assessment. We continue to believe that OPM’s
management of system Authorizations represents a material weakness in
the internal control structure of the agency’s IT security program.
The moratorium on Authorizations will result in the IT security
controls of OPM’s systems being neglected. Combined with the
inadequacy and non-compliance of OPM’s continuous monitoring
program, we are very
concerned that the agency’s systems will not be protected against
another attack.”

Most federal agencies overseeing the security of
America’s critical infrastructure still lack formal methods for
determining whether those essential networks are protected from
hackers, according to a new government report.

Of the 15 critical infrastructure industries
examined in the Government Accountability Office (GAO) report —
including banking, finance energy and telecommunications — 12 were
overseen by agencies that didn’t have proper cybersecurity metrics.

Each year, FPF invites privacy scholars
and authors to submit articles and papers to be considered by members
of our Advisory Board, with an aim toward showcasing those articles
that should inform any conversation about privacy among policymakers
in Congress, as well as at the Federal Trade Commission and in other
government agencies.

Because of the
difficulties civil litigants have encountered in challenging
section
702 of the Foreign Intelligence Surveillance Act (as created by
the FISA Amendments Act of 2008), the most realistic forum for
judicial review of the constitutionality of section 702 has been
through a motion to suppress evidence derived from section 702 in a
criminal case (especially once the government actually
began disclosing that it was relying upon such evidence).
Yesterday, Judge Kane (D.
Colo.)issued
perhaps the most significant ruling to date on a motion to suppress
702 evidence. In a nutshell, Judge Kane denied the motion, holding
that, both on its face and as applied to the defendant, Jamshid
Muhtorov, section 702 violates neither the Fourth Amendment nor
Article III. In the post that follows, I briefly summarize Judge
Kane’s reasoning, and then explain why each conclusion is deeply
incomplete — and should raise serious grounds for a post-conviction
appeal to the Tenth Circuit. In a nutshell, though, yesterday’s
decision may well have raised more questions than it answered.

Owners of all but the smallest toy drones will
have to register them with the U.S. government before the end of the
year if the Obama administration adopts proposals being issued by a
task force it appointed.

Registration -- designed to make it easier for
authorities to track down the growing numbers of illegal flights --
should be free, easy to complete online and permit multiple devices
on an owner’s filing, the task force is proposing, according to
three people familiar with its recommendations who weren’t
authorized to speak about it.

… The task force members, some of whom are
still uneasy about elements of the compromise, agreed to include
anything weighing more than
250 grams (9 ounces) in the registration program,
according to the people who asked not to be named.

… The
FAA believes that the law requires the agency to charge $5
to register an aircraft and there may be no way to exempt drone
owners from the fee, according to one of the people familiar with the
task force’s debate.

… Via
The San Jose Mercury News: “A 17-year-old Lincoln High School
student has been criminally cited after he hosted an Instagram
account that featured nude photos of underage girls, authorities say,
including some from Lincoln.”

… “It Won’t Be Long Now Until Every School
Has Internet Access,” Wired
trumpets. According to EducationSuperHighway, the schools which
meet the FCC’s minimum requirements for Internet speed has jumped
from 30% to 77% since 2013. (Mark Zuckerberg also announced this
week he’s giving EducationSuperHighway $20 million. While
headlinesread
that the money will help schools get faster Internet, it will
actually go towards more staff and consultants for
EducationSuperHighway.) Education
Week has a good series of stories on how schools are charged
outrageous fees for lousy Internet service.

… Meanwhile…
“Northern Virginia Community College’s Extended Learning
Institute (ELI) and open courseware provider Lumen Learning announced
a collaboration to publish 24 online college courses for two complete
degree programs. All courses were developed for zero student cost
using open educational resources (OER) (i.e., no textbooks, just
public access Internet).” [The
future? Bob]

… Via
Politico: “The Education Department is doing a poor job on
everything from responding to cyber attacks to updating its software
and hardware, but it’s especially bad at monitoring its computer
networks for threats, according to an annual inspector general
audit.”

… A
report from Australia’s National Assessment Programme says that
tablets are “eroding” children’s digital skills.

… The newly disclosed information about the
email records program is contained in a report by the N.S.A.’s
inspector general that was obtained by The New York Times through a
lawsuit under the Freedom of Information Act. One passage lists
four reasons that the N.S.A. decided to end the email program and
purge previously collected data. Three were redacted, but the fourth
was uncensored. It said that “other authorities can satisfy
certain foreign intelligence requirements” that the bulk email
records program “had been designed to meet.”

The report explained that there were two other
legal ways to get such data. One was the collection of bulk data
that had been gathered in other countries, where the N.S.A.’s
activities are largely
not subject to regulation by the Foreign Intelligence Surveillance
Act and oversight by the intelligence court. Because of the way
the Internet operates, domestic data is often found on fiber optic
cables abroad.

The N.S.A. had long barred analysts from using
Americans’ data that had been swept up abroad, but in November 2010
it changed
that rule, documents leaked by Edward J. Snowden have shown. The
inspector general report cited that change to the N.S.A.’s internal
procedures.

The other
replacement source for the data was collection under the FISA
Amendments Act of 2008, which permits warrantless surveillance on
domestic soil that targets specific noncitizens abroad, including
their new or stored emails to or from Americans.

The Third Circuit has handed down a very
important opinion on Internet surveillance law: In
re Google Cookie Placement Consumer Privacy Litigation (Nov.
10, 2015). The decision is the first case to grapple in detail with
how the Wiretap Act applies to the Internet. If you’re interested
in surveillance law, you need to give this opinion a close and
careful read. It’s a big deal. It leaves some things undecided,
but it also suggests that
the Wiretap Act provides pretty strong privacy protections online.

This post will go over the decision,
explore its reasoning and conclude with its implications.

This is unworkable. You can't sell encryption as
a service if the data is not encrypted for law enforcement. (Another
article that claims the Paris terrorists were encrypting their
communications even though the French government says they did not.)

Blackberry believes in a “balanced”
approach to encryption, incorporating lawful intercept capabilities,
and the company prioritizes cooperation with law enforcement, Chief
Operating Officer Marty Beard said Tuesday.

“We very much take a balanced approach”
to the issue of encryption, he told the FedTalks government IT
summit, differentiating Blackberry’s approach from that of some of
their competitors who are “all about encryption all the way.”

“The Electronic Frontier Foundation (EFF) and
Visualizing Impact launched Onlinecensorship.org
today, a new platform to document the who, what, and why of content
takedowns on social media sites. The project, made possible by a
2014 Knight News Challenge award, will address how social media sites
moderate user-generated content and how free expression is affected
across the globe.”

The telephone was demonstrated publicly for the
first time the same week that Custer rode into the Little Big Horn.
Apparently, the FCC understands technology that old. Or maybe they
will do what Congress spells out for them and consider thinking about
evaluating other proposals...

… The Federal Communications Commission (FCC)
unanimously voted Thursday to seek comment on a
proposal that would increase the maximum length of alerts from 90
characters to 360 characters, among other things.

… The proposal would allow government agencies
to include helpful phone numbers or Web addresses in the alerts. It
would also require wireless carriers to target the alerts to narrower
geographic regions. Currently, alerts go out to counties affected by
an emergency.

Still waiting for a decision in the Kim Dotcom
extradition hearing. This was amusing. How quickly technology
becomes obsolete, lost, and incomprehensible.

When Megaupload was raided early 2012 the U.S.
Government seized 1,103 servers at Carpathia’s hosting facility in
the United States.

Nearly four years have since passed and it’s
still uncertain what will happen to the servers, which are safely
stored in a Virginia warehouse at the moment.

After a renewed request for guidance on the issue,
District Court Judge O’Grady started
to explore what options are on the table. He asked the various
parties what would be required to release the servers and whether
their possible return has any complications.

In a response, hosting company QTS/Carpathia says
that most data will still be intact but that retrieving it will be a
costly endeavor.

The equipment
that was used to link the servers together is no
longer on the market.Used
parts are still available but this would
cost roughly $500,000. In addition, hundreds
of thousands of dollars are needed to move the servers and set them
up properly.

United States Attorney Dana Boente notes that a
successful data return would likely cost millions. However, the
Government has no interest in the servers [Why
were they seized? Bob] and doesn’t want any of
Megaupload’s restrained funds to be released to pay for the costs.

… “The United States further reminds the
Court that the Federal Bureau of Investigation found that many of
these servers contain, as indicated more particularly under seal,
copies of known images of child pornography,” Boente writes (pdf).

… “The MPAA members remain gravely concerned
about the potential release of the copyrighted works that are stored
on the […] servers at issue here,” the movie industry group
writes (pdf).

Transferring the data to Megaupload or another
party would be copyright infringement in and by itself, they argue.

Todd W. Schneider – An
open-source exploration of the city’s neighborhoods, nightlife,
airport traffic, and more, through the lens of publicly available
taxi and Uber data – “The New York City Taxi & Limousine
Commission has released a staggeringly detailed historical dataset
covering over 1.1 billion individual taxi trips in the city from
January 2009 through June 2015. Taken as a whole, the detailed
trip-level data is more than just a vast list of taxi pickup and drop
off coordinates: it’s a story of New York. How bad is the rush
hour traffic from Midtown to JFK? Where does the Bridge and Tunnel
crowd hang out on Saturday nights? What time do investment bankers
get to work? How has Uber changed the landscape for taxis? And
could
Bruce Willis and Samuel L. Jackson have made it from 72nd and
Broadway to Wall Street in less than 30 minutes? The
dataset addresses all of these questions and many more. I mapped the
coordinates of every trip to local census tracts and neighborhoods,
then set about in an attempt to extract stories and meaning from the
data. This post covers a lot, but for those who want to pursue more
analysis on their own: everything in this post—the data, software,
and code—is freely available. Full instructions to download and
analyze the data for yourself are available
on GitHub.”

Aaron Smith: “The
internet is an essential employment resource for many of today’s
job seekers, according to a new survey by Pew Research Center. A
majority of U.S. adults (54%) have gone online to look for job
information, 45% have applied for a job online, and job-seeking
Americans are just as likely to have turned to the internet during
their most recent employment search as to their personal or
professional networks. Yet even as the internet has taken on a
central role in how people find and apply for work, a minority of
Americans would find it difficult to engage in many digital job
seeking behaviors – such as creating a professional resume,
searching job listings online, or following up via email with
potential employers. And while many of today’s job seekers are
enlisting their smartphones to browse jobs or communicate with
potential employers, others are using their mobile devices for far
more complex and challenging tasks, from writing a resume to filling
out an online job application.”

TED-Ed offers a lot of interesting and useful
video lessons for students. Many of the videos are organized into
playlists . Unfortunately, I couldn't find a playlist of all of the
TED-Ed lessons about music. To remedy that problem, I made a
playlist of my own featuring eight
TED-Ed lessons about music.

Thursday, November 19, 2015

Released
this week, IBM’s report (PDF)
cites four key trends that have been observed this year, with
onion-layered and ransomware attacks joined by attacks coming from
inside an organization and by an increased management awareness of
the need to address security threats proactively.

IBM
explains that onion-layered security incidents involve a second, more
damaging attack hidden behind a visible one. Usually, these attacks
are carried by two actors, namely a script kiddie, an unsophisticated
attacker launching highly visible attacks which can be easily caught,
and a more sophisticated stealthy attacker who might expand their
grip of the victim’s network without being detected for weeks or
even months.

"The
danger in partial link saturation attacks is not the ‘denial of
service’ as the acronym describes, but the attack itself,"
Corero said. "The attack is designed to leave just enough
bandwidth available for other sophisticated multi-vector attacks with
data exfiltration as the main objective, to fly in under the radar,
while the distracting DDoS attack consumes resources."

Based
on investigations conducted by Mandiant/FireEye throughout 2014, the
median number of days that attackers were present on a victim’s
network before being discovered was
205 days.

IBM
provided fundamental advice, suggesting that organizations keep
systems updated and increase
their visibility into the network, as well as build an
internal security operations center, create operational procedures,
and ensure an appropriate
level of logging, in addition to periodically performing
penetration testing exercises.

Not
a huge breach, but it illustrates (for my Computer Security students)
how failure to follow Best Practices can result it recreation of well
known failures.

Australians’ private tax records were
left unsecured thanks to a serious flaw in how the tax office’s
online services connect with myGov, in the latest of a series of
security bungles related to the federal government’s online
services.

Experts have raised concerns over the
handling of IT security issues by the Australian Taxation Office and
the Department of Human Services, which runs the overarching service
portal myGov, after a
taxpayer who tried to report the issue claimed he was hung up on
twice by the agencies’ call centre staff.

In a video obtained exclusively by Fairfax Media,
Liew demonstrated how downloading a PDF letter from the tax office by
clicking on a link within the myGov mailbox creates a "cookie"
which logs the user into ato.gov.au. (In this case, cookies are used
to authenticate the "single sign-on" process, or SSO,
whereby the user only has to login once with myGov to access multiple
linked services, such as tax, Medicare and Centrelink.)

Because clicking on the PDF link didn't actually
open a browser page at ato.gov.au and therefore a page was never
closed, the cookie did not expire, meaning the next user who logged
in to myGov and clicked on a link to ato.gov.au saw the previous
user's records.

(Related) A somewhat larger breach, illustrating
how failure to follow established (but apparently unsupervised)
procedures can send things south in a hurry.

Secretary
of State released names and all identifying info on 6.1 million
voters

Every month, the Secretary of State (Brian Kemp)
releases all the new registered voters on a disc so that various
entities can update their records. This information is generally
limited to names, addresses, and demographic information. But last
week, the SoS decided to give out a bunch of information it has
collected on you and everybody you know to anyone who signed up.

Their
monthly CD for October contained the Drivers license number, social
security number, full name, address, and everything else you need to
steal someone’s identity for every single registered voter in
Georgia. All 6.1 million of us. It was not encrypted.
It was not password protected. It was a gift for anyone who ever
thought of doing wrong.

Carnegie
Mellon Says It Was Subpoenaed-And Not Paid-For Research On Breaking
Tor

Carnegie
Mellon University today implied in a statement that it was served
with a subpoena to hand over research related to unmasking the
identity of users on the Tor network, and that it was not paid $1
million by the FBI for doing so, as alleged
by the Tor Project.

The statement, released shortly after noon
Eastern, is vague and fails to answer a number of outstanding
questions not only about the ethics and legality of the attack on
Tor, but also whether the research was prompted by the government,
which the Snowden documents revealed, has had its struggles breaking
Tor traffic.

Of
course NSA would like to review these “exploits.” It's possible
(if unlikely) there might be something to learn, but at minimum there
will be “fingerprints” to record. I wonder if they can trace
anyone who subscribes? Perhaps companies could fund an organization
to buy and analyze and then share the results?

… In an unprecedented move Wednesday, the
zero-day broker startup Zerodium published a price chart for
different classes of digital intrusion techniques and software
targets that it buys from
hackers and resells in a subscription service to customers
that include government agencies. The list, which details the sums
it pays for attack methods that effect dozens of different
applications and operating systems, represents one of the most
detailed views yet into the controversial and murky market for secret
hacker exploits.

… An attack that can fully, remotely take over
a victim’s computer through his or her Safari or Internet Explorer
browser, for instance, fetches a price of as much as $50,000. For
the harder target of Google Chrome, Zerodium’s price rises to
$80,000. Remote exploits that entirely defeat the security of an
Android or Windows Phone device go for as much as $100,000. And an
iOS attack can earn a hacker half a million dollars, by far the
highest price on the list.

… Zerodium, in other words, is keeping its
fresh hacker techniques under wraps for its customers, which it says
include “government organizations in need of specific and tailored
cybersecurity capabilities,” as well as corporate customers it says
use the techniques for defensive purposes. Zerodium founder Bekrar
says Zerodium clients pay
subscription rates of at least $500,000 a year for access
to its exploits. He wouldn’t name any specific customers. But
Bekrar’s last startup, the French company Vupen, more explicitly
offered its zero-day exploits to customers it described as government
agencies within NATO and “NATO ally” countries. A Freedom of
Information request from the investigative news site Muckrock in 2013
showed
that Vupen’s customers included the NSA.

Not everyone who should encrypt their
communications bothers to do so. Not all terrorists are
knowledgeable about secure communications and many are mere “cannon
fodder” who are not worth investing the time and effort to train.
That does not mean every terrorist communication will be recognized,
analyzed, and communicated to appropriate authorities in a time to
stop attacks.

In the wake of the Paris attack, intelligence
officials and sympathizers upset by the Edward Snowden leaks and the
spread of encrypted communications have tried
to blame Snowden for the terrorists’ ability to keep their
plans secret from law enforcement.

Yet news emerging from Paris — as well as
evidence from a Belgian ISIS raid in January — suggests that the
ISIS terror networks involved were communicating in the clear, and
that the data on their smartphones was not encrypted.

… Details about the major ISIS terror plot
averted 10 months ago in Belgium also indicate that while Abaaoud
previously attempted to avoid government surveillance, he did not use
encryption.

A prescient bulletin
sent out in May by the Department of Homeland Security assessed “that
the plot disrupted by Belgian authorities in January 2015 is the
first instance in which a large group of terrorists possibly
operating under ISIL direction has been discovered and may indicate
the group has developed the capability to launch more complex
operations in the West.”

Abaaoud’s planned operation in Belgium was blown
when authorities, who had been closely surveilling his three
accomplices, stormed their safe house in the city of Verviers after
determining that they were planning a major attack — very much like
the one that took place in Paris on Friday. A pitched firefight
between Belgian commandos and the ISIS veterans firing Kalashnikov
rifles and lobbing grenades ended with two suspects dead and a third
captured.

Belgian investigators concluded that Abaaoud
directed the foiled operation there by cellphone from Greece — and
that despite his attempts to avoid surveillance, his communications
were in fact intercepted.
Just a few days after the raid, Belgian news website RTL
Info
ran a whole article titled “What the Terrorist Suspects under
Surveillance Were Saying.” It described surveillance over several
months, through wiretaps and listening devices placed in the
suspects’ car and their apartment.

(Related) Perhaps they were too arrogant to call
for help? No doubt this is what the CIA and FBI will be talking
about in those Congressional hearings.

ISIS Has
Help Desk for Terrorists Staffed Around the Clock

… Counterterrorism analysts affiliated with
the U.S. Army tell NBC News that the ISIS help desk, manned by a
half-dozen senior operatives around the clock, was established with
the express purpose of helping would-be jihadists use encryption and
other secure communications in order to evade detection by law
enforcement and intelligence authorities.

Interesting and strange guy. He appears to be
doing what is expected, but I doubt his heart is in it.

Founder of
app used by ISIS once said ‘We shouldn’t feel guilty.’ On
Wednesday he banned their accounts.

Pavel Durov knew that terrorists were using his
app to communicate. And he decided it was something he could live
with.

“I think that privacy, ultimately, and our right
for privacy is more important than our fear of bad things happening,
like terrorism,” the founder of Telegram, a highly secure messaging
app, said at a TechCrunch
panel in September when asked if he “slept well at night”
knowing his technology was used for violence.

… “Ultimately, ISIS will find a way to
communicate with its cells, and if any means doesn’t feel secure to
them, they’ll [find something else]. We shouldn’t feel guilty
about it. We’re still doing the right thing, protecting our users’
privacy.”

… In a Facebook
post, Durov blamed “shortsighted socialists” in the French
government for the attacks as much as Islamic State militants.

Which is why a statement from Telegram posted
on its site Wednesday is such a surprising reversal of course.

“We were disturbed to learn that Telegram’s
public channels were being used by ISIS to spread their propaganda,”
it read. “… As a result, this week alone we blocked 78
ISIS-related channels across 12 languages.”

The statement had a ring of insincerity to it,
given Durov’s comments two months ago (the New
York Times noted that the statement sounded like Claude Rains’s
famous line in “Casablanca,” claiming to be “shocked,
shocked” to find that gambling was happening at Rick’s, just
before collecting his winnings).

Interesting. App data for people who haven't even
installed the Apps! Android only, so far.

… With today's changes, Google will start
showing content in mobile search results that only lives within apps,
for example, apps with content that doesn't have a corresponding web
page.

An example of a mobile app that has corresponding
web content is Facebook, which earlier
this week enabled Google's app indexing. Now Android users can
hop from search results of indexed Facebook pages directly to the
relevant part of Facebook's app. Other popular apps that are indexed
by Google include Airbnb, Instagram and Pinterest.

Under the extended app-indexing service, content
from apps such as HotelTonight, which does not have corresponding web
content, will also appear in search results. The aim is to make it
easier to find information in applications.

Along with this development, Google has kicked off
app-streaming from Search, so users can interact with an app that
they haven't yet installed.

"With one tap on a Stream button next to the
HotelTonight app result, you'll get a streamed version of the app, so
that you can quickly and easily find what you need, and even complete
a booking, just as if you were in the app itself. And if you like
what you see, installing it is just a click away. This uses a new
cloud-based technology that we're currently experimenting with,"
Google engineering manager Jennifer Lin said.

According
toMarketing Land, for now these options will
only be available within the Google app on Android 5.0 and Android
6.0 handsets.

… In one corner, a lanky blonde woman examines
a white cashmere turtleneck before placing it back on its hanger.
Had she taken the item into one of the dressing rooms, she'd
immediately find an image of the turtleneck displayed on the
touchscreen mirror in front of her, with options to request a
different size, a different color or a pair of jeans to go with it.

That's right -- the fitting rooms in Ralph
Lauren's Polo flagship are smart. Very smart. Equipped with
radio-frequency identification technology that tracks items via their
tags, the room identifies every item that enters and reflects it back
on the mirror that doubles as a touchscreen. Shoppers can interact
with the mirror, which functions like a giant tablet, to control the
lighting, request alternate items or style advice from a sales
associate.

“You can find the list geotagged on a map at
opendatainception.io.
When building the
best Open Data portals, the same question always comes
up. Where can I find clean and usable data? Our answer is usually:
“Did you search on existing Open Data portals?” But the truth
is, some Open Data portals can be hard to come by. We decided to put
together a resource that would be truly useful for all the data geeks
out there (and we know we are plenty). We called this project: Open
Data Inception. We rolled up our sleeves and started
aggregating all of the Open Data portals we could get our hands on.
We are thrilled to present you the first version of our comprehensive
list of 1600+ Open Data portals around the world. To
facilitate your search, we decided to geotag intergovernmental
organization portals on their parent organization headquarters. The
table of contents will give you a summary of all countries
represented on this list. Simply click on a country’s name and the
page will bring you to the correct section. If you are curious about
how we created this list, we
wrote an article about it. We hope that you will find solace in
your data quest with this list. Don’t hesitate to send us feedback
through the form at the bottom of the page or at @opendatas”

… Today we’re testing fundraisers – a new
tool – and improving our Donate button, to allow people to donate
to charities without leaving Facebook. We hope these features help
nonprofits reach new supporters, engage their community and get the
valuable funding they need to continue their good work.

In 2013, we first tested different ways for
nonprofits to fundraise on Facebook.

I subscribe (via RSS) to a couple of these.
Perhaps I should look at some others.

… Users manage their padlocks through a
smartphone app, and have a variety of methods at their disposal to
unlock the LockSmart: either by passcode, Touch ID, or tapping an
icon on the phone app. The unlock signal is then sent by Bluetooth
using 128-bit encryption to the padlock.

… Microsoft has launched a new Cyber Defense
Operations Center at its headquarters in Redmond, Washington, Nadella
told attendees, as part of the US$1 billion a year it plans to spend
on security.

Nadella boasted -- raising a few eyebrows -- that
Windows 10 was the most secure operating system in the world, and
that the company aimed to be able to detect and respond to security
threats in real time anywhere in the world on any type of device for
any type of customer within its ecosystem.

Scare tactics? Is the CIA trying to say, “use
encryption, become a target?”

Take a
Stroll over to the App Store to Download the Very Same App ISIS Uses

… According to the Daily
Beast, ISIS is encouraging its members and followers to use
Telegram after
the deadly attacks in Paris as a means of subverting spies.

CIA Director John Brennan is quite concerned about
the technology’s prominence among jihadists, saying Monday:

“There are a lot of technological
capabilities that are available right now that make it exceptionally
difficult, both technically as
well as legally, [??
Bob] for intelligence and security services to have the
insight they need to uncover.”

Brennan added:

“There has been a significant increase
in the operational security of a number of these operatives and
terrorist networks as they have gone to school on what it is that
they need to do in order to keep their activities concealed from the
authorities.” [Knowing
you might become a target for a Maverick Missile does seem to
concentrate the mind. Bob]

… While the CIA feels the threat of this kind
of technology is real, there is a different tone outside the
intelligence community, such as Matthew Green, an assistant professor
at the Johns Hopkins Information Security Institute, who said:

“Law enforcement is talking about easy
encryption apps that you download from the app store. What we’ve
learned from terrorists is that they will go to great lengths to
encrypt and even hide their
communications in code. They’re not completely
dependent on these easy use apps that people are talking about.”

… The Berlin-based startup boasts two layers
of encryption and claims to be "faster and more secure"
than its competitor WhatsApp, which is owned by Facebook.

Users can securely message friends and send
pictures and files. They can also create group
chats with up to 200 members or opt for "special
secret chats" where messages, photos, and videos will
self-destruct.

… ISIS is also using Telegram to broadcast big
messages on the app's "channels," which are devoted to a
variety of topics. It was on the official ISIS channel that the
group said the Paris attacks would be the "first of the storm."

So, what can you do? (Let me guess. You could do
something if you had a bigger budget.)

The head of the Federal Communications Commission
(FCC) on Tuesday shot down suggestions that the agency could take
down websites used by the Islamic State in Iraq and Syria (ISIS) and
other terrorist groups.

… "We cannot underestimate the
challenge," FCC Chairman Tom Wheeler responded. "I'm not
sure our authority extends to [shut down the websites], but I do
think there are specific things we can do."

Wheeler similarly told Rep. Bobby Rush (D-Ill.)
that the commission does not have the authority to target the social
media accounts of gang leaders in the United States that are
contributing to urban violence.

"We
do not have jurisdiction over Facebook and all the other edge
providers. We do not intend to assert jurisdiction over
them," Wheeler said.

But the chairman said he can use the FCC's bully
pulpit to press tech CEOs on the issue, such as Facebook's Mark
Zuckerberg.

"I
will call Mark Zuckerberg this afternoon to raise the
issue you've raised and the issue Mr. Barton raised. And I'm
sure he is concerned as well and he'll have some thoughts,"
Wheeler said.

… Wheeler offered other areas where the
commission could take action. He specifically mentioned the rash of
vandalism to
fiberoptic cables in the California Bay Area.

… Wheeler said the system, called the Network
Outage Reporting System, could be mined to put together larger trends
about outages. But he said that is currently impossible because the
system is running on outdated technology, being held together by
"bailing wire and glue."

(Related) Gosh! I wonder if they called Mark Zuckerberg for
advice too?

… This Ivy League institution has become the
center of a free speech debate after two conflicting emails were sent
out to students about Halloween costumes. The first email, sent to
the campus by the Intercultural
Affairs Committee, which seeks to promote an inclusive and
diverse campus, requested that students avoid wearing “culturally
unaware or insensitive” Halloween costumes, including Native
American dress, redface and blackface. In response, faculty member
Erika
Christakis, sent an email saying students should be free to wear
whichever costumes they choose. Both were cited by the Foundation
for Individual Rights in Education (FIRE).

… According to the Yale
Daily News, the student newspaper, students have skipped classes
and midterm exams, or requested extensions citing
emotional distress as rendering them unable to fulfill academic
obligations.

Now, hundreds of alumni are frustrated with how
Yale has handled the crisis. For many, they’ve threatened to
withhold future donations if the administration favors protesting
students.

Perspective. “It's not fair! They have a
larger population than we do!”

The report claims that the total number of
Internet users in the country will reach 402 million by December, of
which 351 million will go online daily. That first figure would see
India surpass U.S on total web users, but leave it some way behind
China which claims over 600 million.

A Bluefield auto dealership owned by
Republican gubernatorial candidate Bill Cole has asked Gov. Earl Ray
Tomblin’s office to investigate a state agency’s recent release
of the names, salaries and social security numbers of more than 200
employees who work for Cole.

The Charlotte Gazette-Mail reports that the state
Division of Labor’s released the employees’ confidential
information last month, in response to a request from the newspaper
for a story about wage complaints filed against businesses owned by
candidates for governor in West Virginia.

Britain
on Tuesday said it will double its investment in cyber-security to
counter threats including from the Islamic State group, in the wake
of the Paris attacks claimed by IS.

Speaking
at the headquarters of Britain's electronic spy agency GCHQ in
southwest England, finance minister George Osborne said the money
would be used against criminals, rogue states and terror factions.

Osborne
said that, while IS jihadists did not yet have the capability for
attacking Britain's infrastructure through the web, "we know
they want it, and are doing their best to build it".

Vice’s Motherboard is puzzling
over a massive leap in the number of Title III wiretap orders served
on Facebook during the first half of 2015: A whopping 201 (targeting
259 users) over the course of just six months, according to the
social networking giant’s latest
transparency report, compared with a mere nine such orders
(targeting 16 users) for the whole of 2014. The experts Motherboard
interviewed were at a loss to explain the jump, but one quite simple
and plausible explanation leaps out at me: WhatsApp, the instant
messaging client whose acquisition
was finalized by Facebook at the very end of last year — and
which law enforcement officials routinely
say is favored by bad actors looking to communicate securely.

You wouldn’t pay a private company to get your
car registered, and you don’t need to hire one to get your drone
registered either, the Federal Aviation Administration said Monday.

At least one private firm has begun offering to
handle drone registration for a fee, helping drone owners to comply
with an FAA mandate that requires registration, the federal agency
said. But the FAA still hasn’t sorted out how registration will be
handled and cautions against paying money prematurely for assistance.

The illogic of politics. No doubt we will see a
lots of statements like this one.

Encrypted
Messaging Apps Face New Scrutiny Over Possible Role in Paris Attacks

American and French officials say there is still
no definitive evidence to back up their presumption that the
terrorists who massacred 129 people in Paris used new,
difficult-to-crack encryption technologies to organize the plot.

It's the future, but is it wise, or even legal?
For example, leaving a running car unattended (a “puffer car”) is
illegal in Denver and Aurora, perhaps state wide?

Ford
Borrows A Play From Tesla, Launches App With Remote Start, Unlocking
And More

Ford just announced a service that allows owners
to control their car from a smartphone app. Called Sync Connect, the
service brings a lot of functionality not traditionally found in gas
automobiles — let alone, inexpensive gas-powered cars. The
functions rival that found on Tesla’s app and will first be
available on the 2017 Ford Escape small SUV.

This app allows owners to lock and unlock their
vehicle from afar as well as remotely start the engine. It even
allows owners to schedule remote starts, so, say if the owner leaves
the house everyday at 7:00 AM, this app can start the car on
designated days at 6:55 so it’s nice and toasty warm by 7:00.

This sounds very “politically incorrect” but
what the author says is that communicating using a global language
makes it easier to see global connections.

… When we think of innovation, we tend to
think of smart, technically trained people sitting in a room coming
up with game-changing ideas. But innovation is just as much a
function of connections—of a person’s or team’s ability to
access global information networks and work alongside others with
relevant skills.

In a global economy, English
facilitates those connections. When a country has strong English
abilities, its innovation sector can better pull from the global pool
of talent and ideas. And we now have data that illustrates the close
relationship between innovation and English proficiency worldwide.

Ha! Take that you posture weenies. I've been
doing it right all along!

The Seattle City Council voted against a $5
million municipal
broadband pilot program on Monday, delivering a major blow to
groups that want to see the Internet treated like a public utility
akin to electricity.

For first
time ever, an emoji is crowned Oxford Dictionaries’ Word of the
Year

… Oxford Dictionaries has recognized the
influential and complex function of emoji by giving one of the
symbols its highest honor. For the first time in Oxford’s history,
the Word of the Year is a pictograph.

Officially, 2015’s linguistic champion is known
as the “Face with Tears of Joy” emoji. Oxford Dictionaries
announced in a statement
Monday: “There were other strong contenders from a range of
fields…but [Face with Tears of Joy] was chosen as the ‘word’
that best reflected the ethos, mood and preoccupations of 2015.”

How These
College Kids Got 150 Top CEOs to Give Them Book Recommendations

There are millions of books that can help you
navigate the business world, but which are the best of the best?

That's what Julia Wittrock and Grant Hensel wanted
to know as they prepared to graduate from Wheaton College this past
May. Like many students, the two were about to start their first
jobs: Wittrock as a strategic sourcing analyst at 3M in Minneapolis
and Hensel as an analyst at Slalom Consulting in Chicago.

Three weeks before graduation, the two friends
sent short letters to all of the CEOs on the Fortune 500 list, asking
them for their favorite business book recommendations.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.